EH,
I came across your mail asking for opinions on the TigerScheme verses CREST
certifications. Before I comment I feel I should declare my hand by saying
that my organisation is involved in and fully supports CREST.
I was interested to note your table and the conclusions you have arrived at
regarding the attributes of both schemes. Can I suggest that one or two of the
conclusions are perhaps as a result of misunderstanding, or a lack of clarity
in the available information.
CREST is OPEN for examinations having already run its Alpha and Beta test
programs. Moreover, there are two sets of examinations available; one which
covers Infrastructure and one covering Applications, not to mention the core
module which is required regardless of which stream is taken. I understand from
their website that the Tigerscheme is only offering Infrastructure exams.
CREST is indeed an industry body with the aim of improving the level of
demonstrable standards, but has a growing advisory panel made up of the highest
volume consumers (from both the public and private sectors) of these services
who provide advice and direction to CREST to ensure that the standard is high
and appropriate for their needs. In addition, the IAP ensures CREST remains
current as new technologies emerge.
As you may notice from the Members page of the website, CREST is supported by
many of the key players in the security testing market.
The CREST process has been designed to ensure that CREST member companies have
clear demonstrable standards that they provide a quality test to the end user
community.
As noted on the first line of the front page on the CREST website, CREST is a
not-for-profit, wholly independent organisation.
As you rightly point out, both schemes do cater for individuals, however the
CREST Standards also have stringent processes for accepting organisations as
members. Your email suggests that Tigerscheme also do this through the CCTM, I
feel it prudent to point out that the CCTM is a totally separate scheme from
Tigerscheme and is run by CSIA. I quote from the CCTM web site; "Vendors
register to have their product or service tested against their marketing
claims." The CCTM is also quite a costly process with average costs quoted
being circa £20,000+.
Career path is indeed provided for in both schemes. Again, as you point out,
low level examinations do not carry much weight within what is a deeply
technical specialism. The CREST examinations therefore provide a significant
test of an individual's ability - considerably greater than currently exists
within the industry. It therefore represents a difficult but achievable goal
for penetration testers.
The conclusion regarding the CEH is probably the result of misunderstanding the
information on the website. CREST does not 'support' or endorse CEH and the
site has been changed to clarify this, and make the information about the
membership levels easier to digest. We thank you for bringing this lack of
clarity to our attention.
Regards
Paul Docherty
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of EH
Sent: 17 October 2007 12:26
To: pen-test@securityfocus.com
Subject: CREST or TIGER?
All, I would value your opinion. I am trying to make a comparison
between the 'new kids on the block' in terms of pen tester
accreditation here in the UK, CREST and TIGERScheme, for my
organisation. So far I've come up with the following information.
CREST TIGER
An existing examination No Yes
Independent of suppliers No Yes
End user driven No Yes
Not for profit Yes? Yes
Applicable to Individuals Yes? Yes
Company standards Yes Yes (CCTM)
Career path Yes? Yes
University standard No Yes
It seems that the TIGER Scheme www.tigerscheme.org is fully up and
running and accrediting individuals already plus it is a University
based examination which CREST www.crest-approved.org is not.
I see from the CREST website that they are in support of the often
maligned multiple guess CEH examination and will 'grandfather'
individuals into the 'CREST approved' scheme if they have CEH. Now I
am a CEH [amongst other things I hasten to add] and I sat the exam in
early 2003. It was taken reasonably seriously then but it seems that
the pen test communities opinion of the cert has deprecated somewhat
over time ... so is CREST a re-branded EC-COUNCIL? If so will they go
the same way?
To grandfather into TIGER at the lowest level of certification you
need an approved MSc in Computer Security. Basically any certs I
recommend for my organisation I want to be taken seriously now and in
future. I am heavily leaning towards TIGER.
Your thoughts?
Thanks in advance.
EH
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.488 / Virus Database: 269.15.0/1076 - Release Date: 17/10/2007
19:53
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
The Grange Barn, Pikes End, Pinner, MIDDX,
United Kingdom, HA5 2EX.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
